Malware masterplan: NSA targeted Google & Samsung app stores to harvest data

Reuters / Pawel Kopczynsky
The NSA and its spying partners wanted to hack into smartphones via Google and Samsung App stores and infect them with spyware. The revelations came from a top secret document released by NSA whistleblower Edward Snowden.

The surveillance project wanted to implement a spying system called XKEYSCORE, which would be able to identify smartphone traffic flowing across internet cables and then track down smartphone connections to the app servers, which were operated by Google and Samsung. The information was released Wednesday to CBC News in Canada and the Intercept.

The aim was then to infect every app listed in the store with malware, in a project codenamed IRRITANT HORN. Users of the Google Play Store and Samsung App Store would then download the infected apps, thus making it easier for the NSA and its partners to spy smartphone users around the globe.

This would give them the chance to access emails, texts, web history, call records, videos, photos and other files stored on them.

"What they are clearly looking for are common points, points where thousands, millions of internet users actively engage in, knowing that if they can find ways to exploit those servers, they will be privy to huge amounts of data about people's internet use, and perhaps use bits and pieces of that to make correlations," Michael Geist, an internet law expert at the University of Ottawa, told CBC News.

READ MORE: Apple, Google and 140+ tech firms urge Obama not to give police 'backdoor' access to encrypted phone data

The program was the brainchild of the “Five Eyes” alliance, which includes the US, Canada, the UK, New Zealand and Australia. The team worked on these projects during workshops held in Australia and Canada between November 2011 and February 2012. They said it was necessary to combat terrorism.

"All of this is being done in the name of providing safety and yet … Canadians or people around the world are put at risk," Geist said.

Previous documents leaked by Snowden have shown that the Five Eyes alliance had designed spyware for iPhones and Android smartphones. However, it was never clear how the agencies intended to get the malware onto the phones in the first place.

According to material received by the Intercept, the agencies did not just want to use app stores to infect smartphones with spyware. They were also eager to find ways to hijack them as a way of sending “selective misinformation to the targets’ handsets” as part of so-called “effects” operations that are used to spread propaganda or confuse adversaries. Moreover, the agencies wanted to gain access to companies’ app store servers so they could secretly use them for “harvesting” information about phone users.

The app stores targeted were located in France, Switzerland, the Netherlands, the Bahamas, Morocco, Cuba and Russia.

The NSA and their allies also targeted the UC Browser, which is a popular app used to surf the internet in Asia. Although relatively unknown in Europe, its reach across Asia meant that it was used by half a billion smartphone users. The Five Eyes agencies were able to discover a privacy flaw in its security, which leaked its users' phone numbers, SIM card numbers and details about the device to servers in China.

According to Citizen Lab director Ron Deibert, the breach that was discovered in the UC Browser not only left millions of users open to the surveillance of the NSA and its partners, but could have also potentially been used by criminal hackers to access sensitive information.

“Of course, the security agencies don’t [disclose the information],” Deibert said. “Instead, they harbor the vulnerability. They essentially weaponize it.” Taking advantage of weaknesses in apps like UC Browser “may make sense from a very narrow national security mindset,” Deibert added, “but it’s at the expense of the privacy and security of hundreds of millions of users worldwide,” the Intercept reported.

The Intercept contacted all of the Five Eyes agencies for comments regarding the allegations.

The British agency Government Communications Headquarters (GCHQ) said that its work was “carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorized, necessary and proportionate.”